ID de Prueba:	1.3.6.1.4.1.25623.1.0.51357
Categoría:	Conectiva Local Security Checks
Título:	Conectiva Security Advisory CLA-2004:858
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory CLA-2004:858. SquirrelMail[1] is a widely used webmail client for php4. Four vulnerabilities were discovered in SquirrelMail: Alvin Alex reported[2] that SquirrelMail 1.4.2 is prone to multiple cross-site scripting[3] attacks which could allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. Roman Medina discovered[4] a cross-site scripting (XSS) vulnerability[5] in mime.php for SquirrelMail before 1.4.3 that allows remote attackers to insert arbitrary HTML and script code via the content-type mail header, as demonstrated using read_body.php. An SQL injection vulnerability[6] in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. Roman Medina also found[7] other multiple cross-site scripting (XSS) vulnerabilities[8] in SquirrelMail 1.2.10 and earlier that allows remote attackers to inject arbitrary HTML or script via (a) the $mailer variable in read_body.php, (b) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (c) the $event_title variable or (d) the $event_text variable. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.squirrelmail.org/ http://www.securityfocus.com/archive/1/361831/2004-08-08/2004-08-14/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0519 http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0521 http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0639 http://www.securityspace.com/smysecure/catid.html?in=CLA-2004:858 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002004 Risk factor : Critical CVSS Score: 10.0
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2004-0519 BugTraq ID: 10246 http://www.securityfocus.com/bid/10246 Bugtraq: 20040429 SquirrelMail Cross Scripting Attacks.... (Google Search) http://marc.info/?l=bugtraq&m=108334862800260 Bugtraq: 20040430 Re: SquirrelMail Cross Scripting Attacks.... (Google Search) http://www.securityfocus.com/archive/1/361857 Conectiva Linux advisory: CLA-2004:858 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858 Debian Security Information: DSA-535 (Google Search) http://www.debian.org/security/2004/dsa-535 http://www.securityfocus.com/advisories/6827 https://bugzilla.fedora.us/show_bug.cgi?id=1733 http://security.gentoo.org/glsa/glsa-200405-16.xml https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1006 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10274 RedHat Security Advisories: RHSA-2004:240 http://rhn.redhat.com/errata/RHSA-2004-240.html http://secunia.com/advisories/11531 http://secunia.com/advisories/11686 http://secunia.com/advisories/11870 http://secunia.com/advisories/12289 SGI Security Advisory: 20040604-01-U ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc SuSE Security Announcement: SUSE-SR:2005:019 (Google Search) http://www.novell.com/linux/security/advisories/2005_19_sr.html XForce ISS Database: squirrel-composephp-xss(16025) https://exchange.xforce.ibmcloud.com/vulnerabilities/16025 Common Vulnerability Exposure (CVE) ID: CVE-2004-0520 BugTraq ID: 10439 http://www.securityfocus.com/bid/10439 Bugtraq: 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability (Google Search) http://marc.info/?l=bugtraq&m=108611554415078&w=2 http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt http://marc.info/?l=squirrelmail-cvs&m=108532891231712 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1012 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10766 Common Vulnerability Exposure (CVE) ID: CVE-2004-0521 http://www.securityfocus.com/advisories/7148 BugTraq ID: 10397 http://www.securityfocus.com/bid/10397 Computer Incident Advisory Center Bulletin: O-212 http://www.ciac.org/ciac/bulletins/o-212.shtml http://marc.info/?l=squirrelmail-cvs&m=108309375029888 http://www.osvdb.org/6841 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1033 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11446 http://secunia.com/advisories/11685 XForce ISS Database: squirrelmail-sql-injection(16235) https://exchange.xforce.ibmcloud.com/vulnerabilities/16235 Common Vulnerability Exposure (CVE) ID: CVE-2004-0639 BugTraq ID: 10450 http://www.securityfocus.com/bid/10450 XForce ISS Database: squirrelmail-from-header-xss(16285) https://exchange.xforce.ibmcloud.com/vulnerabilities/16285
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.